Today, I would like to 'touch' an ungrateful topic of keeping both FreeBSD's base system and installed packages up-to-date.

After I started using FreeBSD at 5.4 times (2005) I have tried various methods of keeping my FreeBSD installations up-to-date, many of them terribly failed, but some recent ones seem to do the job as advertised. Even not so recently ago I thought, lets stick to RELEASE and do not compile newer versions of packages as there are available packages at FTP ... but there is a big problem with such attitude. First, once the RELEASE is completed, there are only security fixes for the base system, but there are no bug fixes for the RELEASE. Its even worse with packages for RELEASE since once they are built they are never later updated, even if they have security issues, not even mentioning bugs. So that is definitely not the right way.

The sollution seems to be tracking STABLE tree for the base system along with packages that are built every 2 weeks for the STABLE tree and compiling only when there are security issues in some of the installed packages, but there are for example 10 more days before their rebuilt versions would show up on the STABLE tree FTP. Below I would try to describe all that process of keeping FreeBSD up-to-date as simple as possible. In the first part I would focus on the base system and the second one will cover keeping packages up-to-date.

Some important information about keeping Your system this way. You would not rebuild the base system every day, not even every week, just when needed. Now what does it mean 'when needed' ... For example when there is a security issue, You would just follow the instructions in the SA (security advisory) to fix that issue, there is no need to rebuild whole world. The only reasons to rebuild the base system are that there has been found and fixed a bug in STABLE that affects You or that You need new features that has been merged into the STABLE branch (from CURRENT for example) like newer ZFS version or whatever.

As for the installation, You can install the RELEASE version and update to STABLE or install the daily STABLE snapshot so You would not have to build entire base system from source, the daily ISO images are available at http://pub.allbsd.org/FreeBSD-snapshots/ server.

Some facts about FreeBSD's base system:
-- once RELEASE is completed, there are only security fixes, there are no bug fixes
-- bugs in STABLE tree are fixed
-- security issues are also fixed in STABLE
-- the RELEASE branch allows to use binary updates via freebsd-update tool for security fixes
-- the STABLE branch requires compiling of the FreeBSD base system

We need to clone the current cource tree if we want to build up to date STABLE branch FreeBSD's base system, we will also need to update our sources to the current state so its quite handy to find fastest server for Your location, it can be easily done by using fastest_cvsup package.

Now lets get/update our sources to the current state, the list of edited/checked files will be quite different on Your box since I already have quite up-to-date sources, this will take more time if You do not have the sources on the disk.

Alternatively, You can grab the sources by SVN protocol, but You will need devel/subversion16 port/package for that purpose. Its generally a lot faster/easier to 'setup' then csup but the 'csup way' has one important advantage, its in the FreeBSD's base system, so its always available, anywhere. With SVN, You will have to add a package first which sometimes may be cumbersome. But as the FreeBSD source tree is kept under SVN it is possible that SVN will be part of the FreeBSD's base system one day.

Its also important to mention, that sources downloaded by subversion are not compatible with the sources grabbed by csup, so once You will decide which method to use, stick with it, unless You want to download the whole FreeBSD's source tree again. Below is the line needed to update the FreeBSD sources to 9-STABLE latest state.

Code:

# svn checkout svn://svn.freebsd.org/base/stable/9 /usr/src

Its the same no matter if You download the whole tree or just doing an update from yesterday. If svn will complain about anything, just delete the /usr/src and type the command again.

Now as we have the sources we can continue to building the FreeBSD's base system from source. As for editing the kernel config, You do not even have to bother about it, just use GENERIC, this guide is not about stripping the base system and kernel components, its about keeping everything up-to-date. Of course if You want to, then use Your tweaked kernel config, it will not interfere with the rest of this guide. You may want to put nice -n 20 in front of make buildworld ... line to make that build process less 'amusing' for your system. As instructions are completed, Your system will reboot.

We are now proceeding to the second phase of the upgrade process, after normal boot (single user mode not required and definitely prohibited while doing upgrade over the network) stop all unneeded services (remember to keep sshd daemon alive if you are doing upgrade via network). If your system booted up properly, then You can make the new testing kernel the default one, at least there should not be any problems with the GENERIC kernel config

Now we can continue to type rest of needed instructions to finish the update, the mergemaster will ask You for the differences in startup scripts that You have modified and configuration files, type 'I' to install the new/default config and/or script and select 'D' to leave the version that you have in the system, remember that You can also add these changes later, it may be not appreciate to install default firewall config or customized OpenSSH config while doing the network upgrade.

After that second reboot You should have updates to STABLE branch FreeBSD's base system, I wrote 'should' because sometimes things do not go the way we want them to go, especially if you are doing it the first time as once Aerosmith sing "I know it's everybody's sin, You got to lose to know how to win". It would be best to do these instructions as exercise under virtual machine like VirtualBox or QEMU.

Also, if you do not feel that STABLE is 'production enought', then You may want to use STABLE packages along with RELEASE base system, You will need to define environment variable PACKAGESITE that will point to ftp://ftp.freebsd.org/pub/FreeBSD/po...stable/Latest/ at least for FreeBSD 8.x system.

PART II. Keeping the FreeBSD packages up-to-date

Keeping packages up to date is little more tricky, we will also need the STABLE branch for them as these in RELEASE are not updated. Lets assume that You installed the FreeBSD STABLE snapshot a month ago, along with packages that were built by then, now there will be quite a lot of new versions for many packages which is not that important, but some of them can (and probably have) security issues and definitely should be updated. You can of course compile them from Ports using portmaster but why waste time for compiling, when You can use built every 2 weeks packages from the STABLE branch? The pkg_upgrade script from the bsdadminscripts package will be quite helpful here. It will fetch latest available packages from the STABLE FTP and there is a chance that the security issues will be solved by the newer versions, if not, we are forced to rebuild those packages from source using portmaster, but its a lot better and faster to recompile 1-2 packages instead of 30 or more.

As for updating the packages, I generally check them daily, mostly for security issues that would be reported with portaudit, there are often new versions reported, sometimes even quite lot, but as long as there are 0 problem(s) in your installed packages found. I do not bother. From time to time I fire up pkg_upgrade -a -C to fetch the latest packages from the STABLE branch FTP.

Some of You would certainly ask why use pkg_upgrade instead of updating with portmaster? Well, for example You have package z-1.0 installed in Your system, latest package available on the FTP is z-1.1 (newer) but version in Ports is z-1.2, so portmaster will omit that z-1.1 package no matter if its newer or not and will force You to compile the z-1.2 package from the Ports system.

Keeping FreeBSD packages up-to-date in short:
-- use packages from STABLE that are built every 2 weeks
-- use pkg_upgrade to update packages
-- use portmaster to rebuild packages that have security issues

Some facts about being up-to-date with FreeBSD's packages:
-- with every RELEASE packages are built and then they are never updated, even if they have security issues
-- for the STABLE tree packages are rebuilt every 2 weeks

First, we need to install tools that we will use to keep FreeBSD packages up-to-date.

Code:

# pkg_add -r bsdadminscripts portmaster portaudit

Optionally, we can allow users in group wheel to perform these task using sudo (You will have to add sudo package with pkg_add -r sudo commend) as they are already allowed to login on the root account, we can of course create separate group like maintainers that will be allowed to perform upgrades. You will need this line below in /usr/local/etc/sudoers file.

Here is the most important part, the commands put together into functions that will allow us easy checking for newer versions of the packages, security issues and updating them to newer/fixed versions. The ports-check function fetches latest Ports tree, then shows what new packages are available comparing to those installed on the system, next the security issues are checked with portaudit and last, the /usr/ports/UPDATING file is checked for various messages that can affect us. The ports-check does not rebuild or update any packages, only, as the name says, checks.

... and thats it generally, I would show some example of these functions usage below.

You will have to put these functions into Your shells startup files, it will be /etc/profile for sh shell and bash, /etc/zshrc for zsh. It will not work for C-shells like csh since they do not support functions and are retarded in many other ways: http://www.grymoire.com/Unix/CshTop10.txt

Drawbacks

Using this way of keeping the installed packages up-to-date You have to remember two things.

Customized packages. If You built some package with non-default options by compiling it, after upgrade it will 'revert' do the default options and You will have to build it again.

Kernel modules. Any package that comes with kernel modules can and probably will break at some point because the STABLE source tree is a 'moving target', that is one of the good reasons to update the base system and then update to latest packages. The packages that have kernel modules are for example emulators/virtualbox-ose (VirtualBox), sysutils/fusefs-kmod (FUSE implementation) and most notably x11/nvidia-driver (binary nVidia graphics driver).

__________________religions, worst damnation of mankind"If 386BSD had been available when I started on Linux, Linux would probably never had happened." Linus TorvaldsLinux is not UNIX! Face it! It is not an insult. It is fact: GNU is a recursive acronym for “GNU's Not UNIX”.vermaden's:linksresourcesdeviantartspreadbsd

__________________religions, worst damnation of mankind"If 386BSD had been available when I started on Linux, Linux would probably never had happened." Linus TorvaldsLinux is not UNIX! Face it! It is not an insult. It is fact: GNU is a recursive acronym for “GNU's Not UNIX”.vermaden's:linksresourcesdeviantartspreadbsd

bapt@ blogged today about his experience with pkgng and binary upgrades, you might find that useful as well [2].

Thanks, maybe it will be useful as PKGNG will settle on rc* releases ;p

__________________religions, worst damnation of mankind"If 386BSD had been available when I started on Linux, Linux would probably never had happened." Linus TorvaldsLinux is not UNIX! Face it! It is not an insult. It is fact: GNU is a recursive acronym for “GNU's Not UNIX”.vermaden's:linksresourcesdeviantartspreadbsd

-- the RELEASE branch allows to use binary updates via freebsd-update tool for security fixes
-- the STABLE branch requires compiling of the FreeBSD base system

If you are running STABLE, how then do you upgrade to a future version of FreeBSD? If you periodically need to recompile the base system from source, doesn't that significantly lessen the advantages of using packages?

Is there any way to keep a FreeBSD server up to date (both base and userland) using only binaries?

How to upgrade? A few different ways... I only use one of them, there are guides, using
STABLE
................................
2nd question, will be clear once you have a few years of experience and know the tradeoffs. Nothing really to answer without a lot of text.
................................
If you've a non-hobbyist server, there are several ways to keep it upgraded, and will depend upon the physical configuration, amount of hardware, programs used to
upgrade with, etc. (Many ways, many guides, several books). As far as only binaries,
it depends upon which are/would be available, and would vary with each server instance
as to a precise answer.

If you are running STABLE, how then do you upgrade to a future version of FreeBSD? If you periodically need to recompile the base system from source, doesn't that significantly lessen the advantages of using packages?

Is there any way to keep a FreeBSD server up to date (both base and userland) using only binaries?

I track freshbsd.org site to see which commits are MFC to STABLE, if I find something interesting then I make these:

__________________religions, worst damnation of mankind"If 386BSD had been available when I started on Linux, Linux would probably never had happened." Linus TorvaldsLinux is not UNIX! Face it! It is not an insult. It is fact: GNU is a recursive acronym for “GNU's Not UNIX”.vermaden's:linksresourcesdeviantartspreadbsd